Interrogating Best Practices in Secure Operations and Development

Security operations and secure development are critical requirements that receive significant personnel, resources, training and other kinds of attention. As best practices proliferate, there has been little empirical research as to which are most effective and why. In this talk, I will review recent empirical studies that examine in depth the utility of threat modeling, CTF contests as security training exercises and other topics. These studies highlight the benefits of academic-industry collaboration for evaluating and reconsidering best practices.

About the speaker

Michelle Mazurek is an Assistant Professor in the Computer Science Department at the University of Maryland, College Park. Her research aims to understand and improve the human elements of security and privacy-related decision making. Recent projects include examining how and why developers make security and privacy mistakes; evaluating the use of threat-modeling in large-scale organizations; analyzing how users learn about and decide whether to adopt security advice; and contrasting user expectations with app behavior in Android apps.

Her work has recently been recognized with an NSA Best Scientific Cybersecurity Paper Award and a USENIX Security Distinguished Paper Award. She is Program Chair for the Symposium on Usable Privacy and Security (SOUPS) for 2019 and 2020. Mazurek received her PhD in Electrical and Computer Engineering from Carnegie Mellon University in 2014.